Generated on 周三, 18 1月 2023 12:09:21

Summary of Alerts

Risk Level Number of Alerts
高等的
0
中等的
2
9
Informational
1

Passing Rules

名称 Rule Type Threshold Strength
Private IP Disclosure Passive MEDIUM -
Session ID in URL Rewrite Passive MEDIUM -
X-Debug-Token Information Leak Passive MEDIUM -
Username Hash Found Passive MEDIUM -
X-AspNet-Version Response Header Passive MEDIUM -
Insecure JSF ViewState Passive MEDIUM -
Script Passive Scan Rules Passive MEDIUM -
Stats Passive Scan Rule Passive MEDIUM -
字符集不匹配 Passive MEDIUM -
Content-Type Header Missing Passive MEDIUM -
X-Frame-Options Header Passive MEDIUM -
Application Error Disclosure Passive MEDIUM -
信息泄露-调试错误消息 Passive MEDIUM -
Information Disclosure - Sensitive Information in URL Passive MEDIUM -
Information Disclosure - Sensitive Information in HTTP Referrer Header Passive MEDIUM -
WSDL File Detection Passive MEDIUM -
Loosely Scoped Cookie Passive MEDIUM -
Viewstate Passive MEDIUM -
跨域配置错误 Passive MEDIUM -
Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) Passive MEDIUM -
Weak Authentication Method Passive MEDIUM -

站点

https://himemory.191810.xyz

HTTP Response Code Number of Responses
404 Not Found
20
200 OK
232

No Authentication Statistics Found

Parameter Name Type Flags Times Used # Values

Alert Detail

中等的
CSP: Wildcard Directive
说明
The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined:

script-src, style-src, img-src, connects-src, frame-src, font-src, media-src, object-src, manifest-src, worker-src, prefetch-src, form-action

The directive(s): form-action are among the directives that do not fallback to default-src, missing/excluding them is the same as allowing anything.
URL https://himemory.191810.xyz/
方法 GET
Parameter
攻击
Evidence frame-ancestors https://himemory.191810.xyz/;
Request Header - size: 244 bytes.
Request Body - size: 0 bytes.
Response Header - size: 668 bytes.
Response Body - size: 51,151 bytes.
URL https://himemory.191810.xyz/index.php
方法 GET
Parameter
攻击
Evidence frame-ancestors https://himemory.191810.xyz/;
Request Header - size: 320 bytes.
Request Body - size: 0 bytes.
Response Header - size: 563 bytes.
Response Body - size: 51,151 bytes.
URL https://himemory.191810.xyz/like.php?id=1
方法 GET
Parameter
攻击
Evidence frame-ancestors https://himemory.191810.xyz/;
Request Header - size: 367 bytes.
Request Body - size: 0 bytes.
Response Header - size: 368 bytes.
Response Body - size: 109 bytes.
URL https://himemory.191810.xyz/like.php?id=2
方法 GET
Parameter
攻击
Evidence frame-ancestors https://himemory.191810.xyz/;
Request Header - size: 367 bytes.
Request Body - size: 0 bytes.
Response Header - size: 368 bytes.
Response Body - size: 109 bytes.
URL https://himemory.191810.xyz/like.php?id=3
方法 GET
Parameter
攻击
Evidence frame-ancestors https://himemory.191810.xyz/;
Request Header - size: 367 bytes.
Request Body - size: 0 bytes.
Response Header - size: 368 bytes.
Response Body - size: 109 bytes.
URL https://himemory.191810.xyz/like.php?id=4
方法 GET
Parameter
攻击
Evidence frame-ancestors https://himemory.191810.xyz/;
Request Header - size: 367 bytes.
Request Body - size: 0 bytes.
Response Header - size: 368 bytes.
Response Body - size: 109 bytes.
URL https://himemory.191810.xyz/login.php
方法 GET
Parameter
攻击
Evidence frame-ancestors https://himemory.191810.xyz/;
Request Header - size: 347 bytes.
Request Body - size: 0 bytes.
Response Header - size: 505 bytes.
Response Body - size: 2,712 bytes.
URL https://himemory.191810.xyz/login.php?from=user.php?id=1
方法 GET
Parameter
攻击
Evidence frame-ancestors https://himemory.191810.xyz/;
Request Header - size: 443 bytes.
Request Body - size: 0 bytes.
Response Header - size: 505 bytes.
Response Body - size: 2,716 bytes.
URL https://himemory.191810.xyz/login.php?from=user.php?id=2
方法 GET
Parameter
攻击
Evidence frame-ancestors https://himemory.191810.xyz/;
Request Header - size: 457 bytes.
Request Body - size: 0 bytes.
Response Header - size: 505 bytes.
Response Body - size: 2,716 bytes.
URL https://himemory.191810.xyz/login.php?from=user.php?id=3
方法 GET
Parameter
攻击
Evidence frame-ancestors https://himemory.191810.xyz/;
Request Header - size: 471 bytes.
Request Body - size: 0 bytes.
Response Header - size: 505 bytes.
Response Body - size: 2,716 bytes.
URL https://himemory.191810.xyz/login.php?from=user.php?id=4
方法 GET
Parameter
攻击
Evidence frame-ancestors https://himemory.191810.xyz/;
Request Header - size: 443 bytes.
Request Body - size: 0 bytes.
Response Header - size: 505 bytes.
Response Body - size: 2,716 bytes.
URL https://himemory.191810.xyz/register.php
方法 GET
Parameter
攻击
Evidence frame-ancestors https://himemory.191810.xyz/;
Request Header - size: 423 bytes.
Request Body - size: 0 bytes.
Response Header - size: 505 bytes.
Response Body - size: 3,218 bytes.
URL https://himemory.191810.xyz/user.php?id=1
方法 GET
Parameter
攻击
Evidence frame-ancestors https://himemory.191810.xyz/;
Request Header - size: 351 bytes.
Request Body - size: 0 bytes.
Response Header - size: 585 bytes.
Response Body - size: 20,682 bytes.
URL https://himemory.191810.xyz/user.php?id=1&like=1
方法 GET
Parameter
攻击
Evidence frame-ancestors https://himemory.191810.xyz/;
Request Header - size: 435 bytes.
Request Body - size: 0 bytes.
Response Header - size: 583 bytes.
Response Body - size: 20,722 bytes.
URL https://himemory.191810.xyz/user.php?id=2
方法 GET
Parameter
攻击
Evidence frame-ancestors https://himemory.191810.xyz/;
Request Header - size: 367 bytes.
Request Body - size: 0 bytes.
Response Header - size: 585 bytes.
Response Body - size: 15,881 bytes.
URL https://himemory.191810.xyz/user.php?id=2&like=1
方法 GET
Parameter
攻击
Evidence frame-ancestors https://himemory.191810.xyz/;
Request Header - size: 463 bytes.
Request Body - size: 0 bytes.
Response Header - size: 583 bytes.
Response Body - size: 15,921 bytes.
URL https://himemory.191810.xyz/user.php?id=3
方法 GET
Parameter
攻击
Evidence frame-ancestors https://himemory.191810.xyz/;
Request Header - size: 383 bytes.
Request Body - size: 0 bytes.
Response Header - size: 585 bytes.
Response Body - size: 15,195 bytes.
URL https://himemory.191810.xyz/user.php?id=3&like=1
方法 GET
Parameter
攻击
Evidence frame-ancestors https://himemory.191810.xyz/;
Request Header - size: 477 bytes.
Request Body - size: 0 bytes.
Response Header - size: 583 bytes.
Response Body - size: 15,235 bytes.
URL https://himemory.191810.xyz/user.php?id=4
方法 GET
Parameter
攻击
Evidence frame-ancestors https://himemory.191810.xyz/;
Request Header - size: 367 bytes.
Request Body - size: 0 bytes.
Response Header - size: 585 bytes.
Response Body - size: 15,345 bytes.
URL https://himemory.191810.xyz/user.php?id=4&like=1
方法 GET
Parameter
攻击
Evidence frame-ancestors https://himemory.191810.xyz/;
Request Header - size: 449 bytes.
Request Body - size: 0 bytes.
Response Header - size: 583 bytes.
Response Body - size: 15,385 bytes.
URL https://himemory.191810.xyz/check.php
方法 POST
Parameter
攻击
Evidence frame-ancestors https://himemory.191810.xyz/;
Request Header - size: 491 bytes.
Request Body - size: 124 bytes.
Response Header - size: 505 bytes.
Response Body - size: 148 bytes.
URL https://himemory.191810.xyz/register_check.php
方法 POST
Parameter
攻击
Evidence frame-ancestors https://himemory.191810.xyz/;
Request Header - size: 545 bytes.
Request Body - size: 134 bytes.
Response Header - size: 505 bytes.
Response Body - size: 151 bytes.
Instances 22
Solution
Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header.
Reference http://www.w3.org/TR/CSP2/
http://www.w3.org/TR/CSP/
http://caniuse.com/#search=content+security+policy
http://content-security-policy.com/
https://github.com/shapesecurity/salvation
https://developers.google.com/web/fundamentals/security/csp#policy_applies_to_a_wide_variety_of_resources
Tags OWASP_2021_A05
OWASP_2017_A06
CWE Id 693
WASC Id 15
Plugin Id 10055
中等的
Vulnerable JS Library
说明
The identified library jquery, version 3.3.1 is vulnerable.
URL https://himemory.191810.xyz/js/jquery.js
方法 GET
Parameter
攻击
Evidence * jQuery JavaScript Library v1.3.2
Request Header - size: 423 bytes.
Request Body - size: 0 bytes.
Response Header - size: 385 bytes.
Response Body - size: 57,254 bytes.
URL https://himemory.191810.xyz/js/vendor/jquery-3.3.1.min.js
方法 GET
Parameter
攻击
Evidence jquery-3.3.1.min.js
Request Header - size: 431 bytes.
Request Body - size: 0 bytes.
Response Header - size: 386 bytes.
Response Body - size: 86,929 bytes.
Instances 2
Solution
Please upgrade to the latest version of jquery.
Reference https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/
https://nvd.nist.gov/vuln/detail/CVE-2019-11358
https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
Tags OWASP_2017_A09
OWASP_2021_A06
CWE Id 829
WASC Id
Plugin Id 10003
Cookie No HttpOnly Flag
说明
A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.
URL https://himemory.191810.xyz/
方法 GET
Parameter PHPSESSID
攻击
Evidence Set-Cookie: PHPSESSID
Request Header - size: 244 bytes.
Request Body - size: 0 bytes.
Response Header - size: 668 bytes.
Response Body - size: 51,151 bytes.
URL https://himemory.191810.xyz/
方法 GET
Parameter X_CACHE_KEY
攻击
Evidence Set-Cookie: X_CACHE_KEY
Request Header - size: 244 bytes.
Request Body - size: 0 bytes.
Response Header - size: 668 bytes.
Response Body - size: 51,151 bytes.
URL https://himemory.191810.xyz/index.php
方法 GET
Parameter PHPSESSID
攻击
Evidence Set-Cookie: PHPSESSID
Request Header - size: 320 bytes.
Request Body - size: 0 bytes.
Response Header - size: 563 bytes.
Response Body - size: 51,151 bytes.
URL https://himemory.191810.xyz/robots.txt
方法 GET
Parameter X_CACHE_KEY
攻击
Evidence Set-Cookie: X_CACHE_KEY
Request Header - size: 265 bytes.
Request Body - size: 0 bytes.
Response Header - size: 300 bytes.
Response Body - size: 5,738 bytes.
URL https://himemory.191810.xyz/user.php?id=1
方法 GET
Parameter visited_1
攻击
Evidence Set-Cookie: visited_1
Request Header - size: 351 bytes.
Request Body - size: 0 bytes.
Response Header - size: 585 bytes.
Response Body - size: 20,682 bytes.
URL https://himemory.191810.xyz/user.php?id=1&like=1
方法 GET
Parameter liked_1
攻击
Evidence Set-Cookie: liked_1
Request Header - size: 435 bytes.
Request Body - size: 0 bytes.
Response Header - size: 583 bytes.
Response Body - size: 20,722 bytes.
URL https://himemory.191810.xyz/user.php?id=2
方法 GET
Parameter visited_2
攻击
Evidence Set-Cookie: visited_2
Request Header - size: 367 bytes.
Request Body - size: 0 bytes.
Response Header - size: 585 bytes.
Response Body - size: 15,881 bytes.
URL https://himemory.191810.xyz/user.php?id=2&like=1
方法 GET
Parameter liked_2
攻击
Evidence Set-Cookie: liked_2
Request Header - size: 463 bytes.
Request Body - size: 0 bytes.
Response Header - size: 583 bytes.
Response Body - size: 15,921 bytes.
URL https://himemory.191810.xyz/user.php?id=3
方法 GET
Parameter visited_3
攻击
Evidence Set-Cookie: visited_3
Request Header - size: 383 bytes.
Request Body - size: 0 bytes.
Response Header - size: 585 bytes.
Response Body - size: 15,195 bytes.
URL https://himemory.191810.xyz/user.php?id=3&like=1
方法 GET
Parameter liked_3
攻击
Evidence Set-Cookie: liked_3
Request Header - size: 477 bytes.
Request Body - size: 0 bytes.
Response Header - size: 583 bytes.
Response Body - size: 15,235 bytes.
URL https://himemory.191810.xyz/user.php?id=4
方法 GET
Parameter visited_4
攻击
Evidence Set-Cookie: visited_4
Request Header - size: 367 bytes.
Request Body - size: 0 bytes.
Response Header - size: 585 bytes.
Response Body - size: 15,345 bytes.
URL https://himemory.191810.xyz/user.php?id=4&like=1
方法 GET
Parameter liked_4
攻击
Evidence Set-Cookie: liked_4
Request Header - size: 449 bytes.
Request Body - size: 0 bytes.
Response Header - size: 583 bytes.
Response Body - size: 15,385 bytes.
Instances 12
Solution
Ensure that the HttpOnly flag is set for all cookies.
Reference https://owasp.org/www-community/HttpOnly
Tags OWASP_2021_A05
WSTG-v42-SESS-02
OWASP_2017_A06
CWE Id 1004
WASC Id 13
Plugin Id 10010
Cookie Without Secure Flag
说明
A cookie has been set without the secure flag, which means that the cookie can be accessed via unencrypted connections.
URL https://himemory.191810.xyz/
方法 GET
Parameter PHPSESSID
攻击
Evidence Set-Cookie: PHPSESSID
Request Header - size: 244 bytes.
Request Body - size: 0 bytes.
Response Header - size: 668 bytes.
Response Body - size: 51,151 bytes.
URL https://himemory.191810.xyz/
方法 GET
Parameter X_CACHE_KEY
攻击
Evidence Set-Cookie: X_CACHE_KEY
Request Header - size: 244 bytes.
Request Body - size: 0 bytes.
Response Header - size: 668 bytes.
Response Body - size: 51,151 bytes.
URL https://himemory.191810.xyz/index.php
方法 GET
Parameter PHPSESSID
攻击
Evidence Set-Cookie: PHPSESSID
Request Header - size: 320 bytes.
Request Body - size: 0 bytes.
Response Header - size: 563 bytes.
Response Body - size: 51,151 bytes.
URL https://himemory.191810.xyz/robots.txt
方法 GET
Parameter X_CACHE_KEY
攻击
Evidence Set-Cookie: X_CACHE_KEY
Request Header - size: 265 bytes.
Request Body - size: 0 bytes.
Response Header - size: 300 bytes.
Response Body - size: 5,738 bytes.
URL https://himemory.191810.xyz/user.php?id=1
方法 GET
Parameter visited_1
攻击
Evidence Set-Cookie: visited_1
Request Header - size: 351 bytes.
Request Body - size: 0 bytes.
Response Header - size: 585 bytes.
Response Body - size: 20,682 bytes.
URL https://himemory.191810.xyz/user.php?id=1&like=1
方法 GET
Parameter liked_1
攻击
Evidence Set-Cookie: liked_1
Request Header - size: 435 bytes.
Request Body - size: 0 bytes.
Response Header - size: 583 bytes.
Response Body - size: 20,722 bytes.
URL https://himemory.191810.xyz/user.php?id=2
方法 GET
Parameter visited_2
攻击
Evidence Set-Cookie: visited_2
Request Header - size: 367 bytes.
Request Body - size: 0 bytes.
Response Header - size: 585 bytes.
Response Body - size: 15,881 bytes.
URL https://himemory.191810.xyz/user.php?id=2&like=1
方法 GET
Parameter liked_2
攻击
Evidence Set-Cookie: liked_2
Request Header - size: 463 bytes.
Request Body - size: 0 bytes.
Response Header - size: 583 bytes.
Response Body - size: 15,921 bytes.
URL https://himemory.191810.xyz/user.php?id=3
方法 GET
Parameter visited_3
攻击
Evidence Set-Cookie: visited_3
Request Header - size: 383 bytes.
Request Body - size: 0 bytes.
Response Header - size: 585 bytes.
Response Body - size: 15,195 bytes.
URL https://himemory.191810.xyz/user.php?id=3&like=1
方法 GET
Parameter liked_3
攻击
Evidence Set-Cookie: liked_3
Request Header - size: 477 bytes.
Request Body - size: 0 bytes.
Response Header - size: 583 bytes.
Response Body - size: 15,235 bytes.
URL https://himemory.191810.xyz/user.php?id=4
方法 GET
Parameter visited_4
攻击
Evidence Set-Cookie: visited_4
Request Header - size: 367 bytes.
Request Body - size: 0 bytes.
Response Header - size: 585 bytes.
Response Body - size: 15,345 bytes.
URL https://himemory.191810.xyz/user.php?id=4&like=1
方法 GET
Parameter liked_4
攻击
Evidence Set-Cookie: liked_4
Request Header - size: 449 bytes.
Request Body - size: 0 bytes.
Response Header - size: 583 bytes.
Response Body - size: 15,385 bytes.
Instances 12
Solution
Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information.
Reference https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html
Tags OWASP_2021_A05
WSTG-v42-SESS-02
OWASP_2017_A06
CWE Id 614
WASC Id 13
Plugin Id 10011
Cookie without SameSite Attribute
说明
Cookie已被设置为无SameSite属性,这意味着Cookie可以作为“跨站点”请求的结果来发送。SameSite属性是一个用以测量跨站点请求伪造数量、包含跨站点脚本数量和定时攻击数量的高效计数器。
URL https://himemory.191810.xyz/
方法 GET
Parameter PHPSESSID
攻击
Evidence Set-Cookie: PHPSESSID
Request Header - size: 244 bytes.
Request Body - size: 0 bytes.
Response Header - size: 668 bytes.
Response Body - size: 51,151 bytes.
URL https://himemory.191810.xyz/
方法 GET
Parameter X_CACHE_KEY
攻击
Evidence Set-Cookie: X_CACHE_KEY
Request Header - size: 244 bytes.
Request Body - size: 0 bytes.
Response Header - size: 668 bytes.
Response Body - size: 51,151 bytes.
URL https://himemory.191810.xyz/index.php
方法 GET
Parameter PHPSESSID
攻击
Evidence Set-Cookie: PHPSESSID
Request Header - size: 320 bytes.
Request Body - size: 0 bytes.
Response Header - size: 563 bytes.
Response Body - size: 51,151 bytes.
URL https://himemory.191810.xyz/robots.txt
方法 GET
Parameter X_CACHE_KEY
攻击
Evidence Set-Cookie: X_CACHE_KEY
Request Header - size: 265 bytes.
Request Body - size: 0 bytes.
Response Header - size: 300 bytes.
Response Body - size: 5,738 bytes.
URL https://himemory.191810.xyz/user.php?id=1
方法 GET
Parameter visited_1
攻击
Evidence Set-Cookie: visited_1
Request Header - size: 351 bytes.
Request Body - size: 0 bytes.
Response Header - size: 585 bytes.
Response Body - size: 20,682 bytes.
URL https://himemory.191810.xyz/user.php?id=1&like=1
方法 GET
Parameter liked_1
攻击
Evidence Set-Cookie: liked_1
Request Header - size: 435 bytes.
Request Body - size: 0 bytes.
Response Header - size: 583 bytes.
Response Body - size: 20,722 bytes.
URL https://himemory.191810.xyz/user.php?id=2
方法 GET
Parameter visited_2
攻击
Evidence Set-Cookie: visited_2
Request Header - size: 367 bytes.
Request Body - size: 0 bytes.
Response Header - size: 585 bytes.
Response Body - size: 15,881 bytes.
URL https://himemory.191810.xyz/user.php?id=2&like=1
方法 GET
Parameter liked_2
攻击
Evidence Set-Cookie: liked_2
Request Header - size: 463 bytes.
Request Body - size: 0 bytes.
Response Header - size: 583 bytes.
Response Body - size: 15,921 bytes.
URL https://himemory.191810.xyz/user.php?id=3
方法 GET
Parameter visited_3
攻击
Evidence Set-Cookie: visited_3
Request Header - size: 383 bytes.
Request Body - size: 0 bytes.
Response Header - size: 585 bytes.
Response Body - size: 15,195 bytes.
URL https://himemory.191810.xyz/user.php?id=3&like=1
方法 GET
Parameter liked_3
攻击
Evidence Set-Cookie: liked_3
Request Header - size: 477 bytes.
Request Body - size: 0 bytes.
Response Header - size: 583 bytes.
Response Body - size: 15,235 bytes.
URL https://himemory.191810.xyz/user.php?id=4
方法 GET
Parameter visited_4
攻击
Evidence Set-Cookie: visited_4
Request Header - size: 367 bytes.
Request Body - size: 0 bytes.
Response Header - size: 585 bytes.
Response Body - size: 15,345 bytes.
URL https://himemory.191810.xyz/user.php?id=4&like=1
方法 GET
Parameter liked_4
攻击
Evidence Set-Cookie: liked_4
Request Header - size: 449 bytes.
Request Body - size: 0 bytes.
Response Header - size: 583 bytes.
Response Body - size: 15,385 bytes.
Instances 12
Solution
Ensure that the SameSite attribute is set to either 'lax' or ideally 'strict' for all cookies.
Reference https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site
Tags OWASP_2021_A01
WSTG-v42-SESS-02
OWASP_2017_A05
CWE Id 1275
WASC Id 13
Plugin Id 10054
Cross-Domain JavaScript Source File Inclusion
说明
The page includes one or more script files from a third-party domain.
URL https://himemory.191810.xyz/
方法 GET
Parameter https://www.google-analytics.com/analytics.js
攻击
Evidence <script src="https://www.google-analytics.com/analytics.js" async="" defer=""></script>
Request Header - size: 244 bytes.
Request Body - size: 0 bytes.
Response Header - size: 668 bytes.
Response Body - size: 51,151 bytes.
URL https://himemory.191810.xyz/img/logo.svg
方法 GET
Parameter https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.3/jquery.min.js
攻击
Evidence <script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.3/jquery.min.js"></script>
Request Header - size: 468 bytes.
Request Body - size: 0 bytes.
Response Header - size: 195 bytes.
Response Body - size: 5,738 bytes.
URL https://himemory.191810.xyz/index.php
方法 GET
Parameter https://www.google-analytics.com/analytics.js
攻击
Evidence <script src="https://www.google-analytics.com/analytics.js" async="" defer=""></script>
Request Header - size: 320 bytes.
Request Body - size: 0 bytes.
Response Header - size: 563 bytes.
Response Body - size: 51,151 bytes.
URL https://himemory.191810.xyz/js/menu.js
方法 GET
Parameter https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.3/jquery.min.js
攻击
Evidence <script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.3/jquery.min.js"></script>
Request Header - size: 421 bytes.
Request Body - size: 0 bytes.
Response Header - size: 195 bytes.
Response Body - size: 5,738 bytes.
URL https://himemory.191810.xyz/robots.txt
方法 GET
Parameter https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.3/jquery.min.js
攻击
Evidence <script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.3/jquery.min.js"></script>
Request Header - size: 265 bytes.
Request Body - size: 0 bytes.
Response Header - size: 300 bytes.
Response Body - size: 5,738 bytes.
URL https://himemory.191810.xyz/sitemap.xml
方法 GET
Parameter https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.3/jquery.min.js
攻击
Evidence <script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.3/jquery.min.js"></script>
Request Header - size: 321 bytes.
Request Body - size: 0 bytes.
Response Header - size: 195 bytes.
Response Body - size: 5,738 bytes.
URL https://himemory.191810.xyz/user.php?id=1
方法 GET
Parameter https://www.google-analytics.com/analytics.js
攻击
Evidence <script src="https://www.google-analytics.com/analytics.js" async="" defer=""></script>
Request Header - size: 351 bytes.
Request Body - size: 0 bytes.
Response Header - size: 585 bytes.
Response Body - size: 20,682 bytes.
URL https://himemory.191810.xyz/user.php?id=1&like=1
方法 GET
Parameter https://www.google-analytics.com/analytics.js
攻击
Evidence <script src="https://www.google-analytics.com/analytics.js" async="" defer=""></script>
Request Header - size: 435 bytes.
Request Body - size: 0 bytes.
Response Header - size: 583 bytes.
Response Body - size: 20,722 bytes.
URL https://himemory.191810.xyz/user.php?id=2
方法 GET
Parameter https://www.google-analytics.com/analytics.js
攻击
Evidence <script src="https://www.google-analytics.com/analytics.js" async="" defer=""></script>
Request Header - size: 367 bytes.
Request Body - size: 0 bytes.
Response Header - size: 585 bytes.
Response Body - size: 15,881 bytes.
URL https://himemory.191810.xyz/user.php?id=2&like=1
方法 GET
Parameter https://www.google-analytics.com/analytics.js
攻击
Evidence <script src="https://www.google-analytics.com/analytics.js" async="" defer=""></script>
Request Header - size: 463 bytes.
Request Body - size: 0 bytes.
Response Header - size: 583 bytes.
Response Body - size: 15,921 bytes.
URL https://himemory.191810.xyz/user.php?id=3
方法 GET
Parameter https://www.google-analytics.com/analytics.js
攻击
Evidence <script src="https://www.google-analytics.com/analytics.js" async="" defer=""></script>
Request Header - size: 383 bytes.
Request Body - size: 0 bytes.
Response Header - size: 585 bytes.
Response Body - size: 15,195 bytes.
URL https://himemory.191810.xyz/user.php?id=3&like=1
方法 GET
Parameter https://www.google-analytics.com/analytics.js
攻击
Evidence <script src="https://www.google-analytics.com/analytics.js" async="" defer=""></script>
Request Header - size: 477 bytes.
Request Body - size: 0 bytes.
Response Header - size: 583 bytes.
Response Body - size: 15,235 bytes.
URL https://himemory.191810.xyz/user.php?id=4
方法 GET
Parameter https://www.google-analytics.com/analytics.js
攻击
Evidence <script src="https://www.google-analytics.com/analytics.js" async="" defer=""></script>
Request Header - size: 367 bytes.
Request Body - size: 0 bytes.
Response Header - size: 585 bytes.
Response Body - size: 15,345 bytes.
URL https://himemory.191810.xyz/user.php?id=4&like=1
方法 GET
Parameter https://www.google-analytics.com/analytics.js
攻击
Evidence <script src="https://www.google-analytics.com/analytics.js" async="" defer=""></script>
Request Header - size: 449 bytes.
Request Body - size: 0 bytes.
Response Header - size: 583 bytes.
Response Body - size: 15,385 bytes.
URL https://himemory.191810.xyz/write.php
方法 GET
Parameter https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.3/jquery.min.js
攻击
Evidence <script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.3/jquery.min.js"></script>
Request Header - size: 411 bytes.
Request Body - size: 0 bytes.
Response Header - size: 195 bytes.
Response Body - size: 5,738 bytes.
Instances 15
Solution
Ensure JavaScript source files are loaded from only trusted sources, and the sources can't be controlled by end users of the application.
Reference
Tags OWASP_2021_A08
CWE Id 829
WASC Id 15
Plugin Id 10017
Incomplete or No Cache-control Header Set
说明
The cache-control header has not been set properly or is missing, allowing the browser and proxies to cache content.
URL https://himemory.191810.xyz/like.php?id=1
方法 GET
Parameter Cache-Control
攻击
Evidence
Request Header - size: 367 bytes.
Request Body - size: 0 bytes.
Response Header - size: 368 bytes.
Response Body - size: 109 bytes.
URL https://himemory.191810.xyz/like.php?id=2
方法 GET
Parameter Cache-Control
攻击
Evidence
Request Header - size: 367 bytes.
Request Body - size: 0 bytes.
Response Header - size: 368 bytes.
Response Body - size: 109 bytes.
URL https://himemory.191810.xyz/like.php?id=3
方法 GET
Parameter Cache-Control
攻击
Evidence
Request Header - size: 367 bytes.
Request Body - size: 0 bytes.
Response Header - size: 368 bytes.
Response Body - size: 109 bytes.
URL https://himemory.191810.xyz/like.php?id=4
方法 GET
Parameter Cache-Control
攻击
Evidence
Request Header - size: 367 bytes.
Request Body - size: 0 bytes.
Response Header - size: 368 bytes.
Response Body - size: 109 bytes.
Instances 4
Solution
Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate.
Reference https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#web-content-caching
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control
Tags WSTG-v42-ATHN-06
CWE Id 525
WASC Id 13
Plugin Id 10015
Secure Pages Include Mixed Content
说明
The page includes mixed content, that is content accessed via HTTP instead of HTTPS.
URL https://himemory.191810.xyz/
方法 GET
Parameter
攻击
Evidence http://cms-bucket.ws.126.net/2020/0422/1e44993bp00q966r20011c000u000a0c.png
Request Header - size: 511 bytes.
Request Body - size: 0 bytes.
Response Header - size: 505 bytes.
Response Body - size: 46,605 bytes.
URL https://himemory.191810.xyz/
方法 GET
Parameter
攻击
Evidence http://cms-bucket.ws.126.net/2020/0422/1e44993bp00q966r20011c000u000a0c.png
Request Header - size: 244 bytes.
Request Body - size: 0 bytes.
Response Header - size: 668 bytes.
Response Body - size: 51,151 bytes.
URL https://himemory.191810.xyz/index.php
方法 GET
Parameter
攻击
Evidence http://cms-bucket.ws.126.net/2020/0422/1e44993bp00q966r20011c000u000a0c.png
Request Header - size: 320 bytes.
Request Body - size: 0 bytes.
Response Header - size: 563 bytes.
Response Body - size: 51,151 bytes.
URL https://himemory.191810.xyz/user.php?id=1
方法 GET
Parameter
攻击
Evidence http://q2.qlogo.cn/headimg_dl?dst_uin=3120690593&spec=640&img_type=jpg
Request Header - size: 351 bytes.
Request Body - size: 0 bytes.
Response Header - size: 585 bytes.
Response Body - size: 20,682 bytes.
URL https://himemory.191810.xyz/user.php?id=1&like=1
方法 GET
Parameter
攻击
Evidence http://q2.qlogo.cn/headimg_dl?dst_uin=3120690593&spec=640&img_type=jpg
Request Header - size: 435 bytes.
Request Body - size: 0 bytes.
Response Header - size: 583 bytes.
Response Body - size: 20,722 bytes.
URL https://himemory.191810.xyz/user.php?id=3
方法 GET
Parameter
攻击
Evidence http://q2.qlogo.cn/headimg_dl?dst_uin=10000&spec=640&img_type=jpg
Request Header - size: 383 bytes.
Request Body - size: 0 bytes.
Response Header - size: 585 bytes.
Response Body - size: 15,195 bytes.
URL https://himemory.191810.xyz/user.php?id=3&like=1
方法 GET
Parameter
攻击
Evidence http://q2.qlogo.cn/headimg_dl?dst_uin=10000&spec=640&img_type=jpg
Request Header - size: 477 bytes.
Request Body - size: 0 bytes.
Response Header - size: 583 bytes.
Response Body - size: 15,235 bytes.
URL https://himemory.191810.xyz/user.php?id=4
方法 GET
Parameter
攻击
Evidence http://q2.qlogo.cn/headimg_dl?dst_uin=1371686359&spec=640&img_type=jpg
Request Header - size: 367 bytes.
Request Body - size: 0 bytes.
Response Header - size: 585 bytes.
Response Body - size: 15,345 bytes.
URL https://himemory.191810.xyz/user.php?id=4&like=1
方法 GET
Parameter
攻击
Evidence http://q2.qlogo.cn/headimg_dl?dst_uin=1371686359&spec=640&img_type=jpg
Request Header - size: 449 bytes.
Request Body - size: 0 bytes.
Response Header - size: 583 bytes.
Response Body - size: 15,385 bytes.
Instances 9
Solution
A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.

The page must not contain any content that is transmitted over unencrypted HTTP.

This includes content from third party sites.
Reference https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html
Tags OWASP_2021_A05
OWASP_2017_A06
WSTG-v42-CRYP-03
CWE Id 311
WASC Id 4
Plugin Id 10040
Timestamp Disclosure - Unix
说明
A timestamp was disclosed by the application/web server - Unix
URL https://himemory.191810.xyz/
方法 GET
Parameter
攻击
Evidence 11778168
Request Header - size: 244 bytes.
Request Body - size: 0 bytes.
Response Header - size: 668 bytes.
Response Body - size: 51,151 bytes.
URL https://himemory.191810.xyz/
方法 GET
Parameter
攻击
Evidence 1371686359
Request Header - size: 244 bytes.
Request Body - size: 0 bytes.
Response Header - size: 668 bytes.
Response Body - size: 51,151 bytes.
URL https://himemory.191810.xyz/
方法 GET
Parameter
攻击
Evidence 20221209
Request Header - size: 244 bytes.
Request Body - size: 0 bytes.
Response Header - size: 668 bytes.
Response Body - size: 51,151 bytes.
URL https://himemory.191810.xyz/
方法 GET
Parameter
攻击
Evidence 20230105
Request Header - size: 244 bytes.
Request Body - size: 0 bytes.
Response Header - size: 668 bytes.
Response Body - size: 51,151 bytes.
URL https://himemory.191810.xyz/
方法 GET
Parameter
攻击
Evidence 2023010501
Request Header - size: 244 bytes.
Request Body - size: 0 bytes.
Response Header - size: 668 bytes.
Response Body - size: 51,151 bytes.
URL https://himemory.191810.xyz/
方法 GET
Parameter
攻击
Evidence 20230106
Request Header - size: 244 bytes.
Request Body - size: 0 bytes.
Response Header - size: 668 bytes.
Response Body - size: 51,151 bytes.
URL https://himemory.191810.xyz/
方法 GET
Parameter
攻击
Evidence 2023010601
Request Header - size: 244 bytes.
Request Body - size: 0 bytes.
Response Header - size: 668 bytes.
Response Body - size: 51,151 bytes.
URL https://himemory.191810.xyz/
方法 GET
Parameter
攻击
Evidence 2023010602
Request Header - size: 244 bytes.
Request Body - size: 0 bytes.
Response Header - size: 668 bytes.
Response Body - size: 51,151 bytes.
URL https://himemory.191810.xyz/
方法 GET
Parameter
攻击
Evidence 2023010603
Request Header - size: 244 bytes.
Request Body - size: 0 bytes.
Response Header - size: 668 bytes.
Response Body - size: 51,151 bytes.
URL https://himemory.191810.xyz/
方法 GET
Parameter
攻击
Evidence 2023010604
Request Header - size: 244 bytes.
Request Body - size: 0 bytes.
Response Header - size: 668 bytes.
Response Body - size: 51,151 bytes.
URL https://himemory.191810.xyz/
方法 GET
Parameter
攻击
Evidence 2023010605
Request Header - size: 244 bytes.
Request Body - size: 0 bytes.
Response Header - size: 668 bytes.
Response Body - size: 51,151 bytes.
URL https://himemory.191810.xyz/
方法 GET
Parameter
攻击
Evidence 2147483647
Request Header - size: 244 bytes.
Request Body - size: 0 bytes.
Response Header - size: 668 bytes.
Response Body - size: 51,151 bytes.
URL https://himemory.191810.xyz/index.php
方法 GET
Parameter
攻击
Evidence 11778168
Request Header - size: 320 bytes.
Request Body - size: 0 bytes.
Response Header - size: 563 bytes.
Response Body - size: 51,151 bytes.
URL https://himemory.191810.xyz/index.php
方法 GET
Parameter
攻击
Evidence 1371686359
Request Header - size: 320 bytes.
Request Body - size: 0 bytes.
Response Header - size: 563 bytes.
Response Body - size: 51,151 bytes.
URL https://himemory.191810.xyz/index.php
方法 GET
Parameter
攻击
Evidence 20221209
Request Header - size: 320 bytes.
Request Body - size: 0 bytes.
Response Header - size: 563 bytes.
Response Body - size: 51,151 bytes.
URL https://himemory.191810.xyz/index.php
方法 GET
Parameter
攻击
Evidence 20230105
Request Header - size: 320 bytes.
Request Body - size: 0 bytes.
Response Header - size: 563 bytes.
Response Body - size: 51,151 bytes.
URL https://himemory.191810.xyz/index.php
方法 GET
Parameter
攻击
Evidence 2023010501
Request Header - size: 320 bytes.
Request Body - size: 0 bytes.
Response Header - size: 563 bytes.
Response Body - size: 51,151 bytes.
URL https://himemory.191810.xyz/index.php
方法 GET
Parameter
攻击
Evidence 20230106
Request Header - size: 320 bytes.
Request Body - size: 0 bytes.
Response Header - size: 563 bytes.
Response Body - size: 51,151 bytes.
URL https://himemory.191810.xyz/index.php
方法 GET
Parameter
攻击
Evidence 2023010601
Request Header - size: 320 bytes.
Request Body - size: 0 bytes.
Response Header - size: 563 bytes.
Response Body - size: 51,151 bytes.
URL https://himemory.191810.xyz/index.php
方法 GET
Parameter
攻击
Evidence 2023010602
Request Header - size: 320 bytes.
Request Body - size: 0 bytes.
Response Header - size: 563 bytes.
Response Body - size: 51,151 bytes.
URL https://himemory.191810.xyz/index.php
方法 GET
Parameter
攻击
Evidence 2023010603
Request Header - size: 320 bytes.
Request Body - size: 0 bytes.
Response Header - size: 563 bytes.
Response Body - size: 51,151 bytes.
URL https://himemory.191810.xyz/index.php
方法 GET
Parameter
攻击
Evidence 2023010604
Request Header - size: 320 bytes.
Request Body - size: 0 bytes.
Response Header - size: 563 bytes.
Response Body - size: 51,151 bytes.
URL https://himemory.191810.xyz/index.php
方法 GET
Parameter
攻击
Evidence 2023010605
Request Header - size: 320 bytes.
Request Body - size: 0 bytes.
Response Header - size: 563 bytes.
Response Body - size: 51,151 bytes.
URL https://himemory.191810.xyz/index.php
方法 GET
Parameter
攻击
Evidence 2147483647
Request Header - size: 320 bytes.
Request Body - size: 0 bytes.
Response Header - size: 563 bytes.
Response Body - size: 51,151 bytes.
URL https://himemory.191810.xyz/user.php?id=1
方法 GET
Parameter
攻击
Evidence 20230106
Request Header - size: 351 bytes.
Request Body - size: 0 bytes.
Response Header - size: 585 bytes.
Response Body - size: 20,682 bytes.
URL https://himemory.191810.xyz/user.php?id=1
方法 GET
Parameter
攻击
Evidence 2023010601
Request Header - size: 351 bytes.
Request Body - size: 0 bytes.
Response Header - size: 585 bytes.
Response Body - size: 20,682 bytes.
URL https://himemory.191810.xyz/user.php?id=1
方法 GET
Parameter
攻击
Evidence 2023010602
Request Header - size: 351 bytes.
Request Body - size: 0 bytes.
Response Header - size: 585 bytes.
Response Body - size: 20,682 bytes.
URL https://himemory.191810.xyz/user.php?id=1
方法 GET
Parameter
攻击
Evidence 2023010603
Request Header - size: 351 bytes.
Request Body - size: 0 bytes.
Response Header - size: 585 bytes.
Response Body - size: 20,682 bytes.
URL https://himemory.191810.xyz/user.php?id=1
方法 GET
Parameter
攻击
Evidence 2023010604
Request Header - size: 351 bytes.
Request Body - size: 0 bytes.
Response Header - size: 585 bytes.
Response Body - size: 20,682 bytes.
URL https://himemory.191810.xyz/user.php?id=1
方法 GET
Parameter
攻击
Evidence 2023010605
Request Header - size: 351 bytes.
Request Body - size: 0 bytes.
Response Header - size: 585 bytes.
Response Body - size: 20,682 bytes.
URL https://himemory.191810.xyz/user.php?id=1
方法 GET
Parameter
攻击
Evidence 2147483647
Request Header - size: 351 bytes.
Request Body - size: 0 bytes.
Response Header - size: 585 bytes.
Response Body - size: 20,682 bytes.
URL https://himemory.191810.xyz/user.php?id=1&like=1
方法 GET
Parameter
攻击
Evidence 20230106
Request Header - size: 435 bytes.
Request Body - size: 0 bytes.
Response Header - size: 583 bytes.
Response Body - size: 20,722 bytes.
URL https://himemory.191810.xyz/user.php?id=1&like=1
方法 GET
Parameter
攻击
Evidence 2023010601
Request Header - size: 435 bytes.
Request Body - size: 0 bytes.
Response Header - size: 583 bytes.
Response Body - size: 20,722 bytes.
URL https://himemory.191810.xyz/user.php?id=1&like=1
方法 GET
Parameter
攻击
Evidence 2023010602
Request Header - size: 435 bytes.
Request Body - size: 0 bytes.
Response Header - size: 583 bytes.
Response Body - size: 20,722 bytes.
URL https://himemory.191810.xyz/user.php?id=1&like=1
方法 GET
Parameter
攻击
Evidence 2023010603
Request Header - size: 435 bytes.
Request Body - size: 0 bytes.
Response Header - size: 583 bytes.
Response Body - size: 20,722 bytes.
URL https://himemory.191810.xyz/user.php?id=1&like=1
方法 GET
Parameter
攻击
Evidence 2023010604
Request Header - size: 435 bytes.
Request Body - size: 0 bytes.
Response Header - size: 583 bytes.
Response Body - size: 20,722 bytes.
URL https://himemory.191810.xyz/user.php?id=1&like=1
方法 GET
Parameter
攻击
Evidence 2023010605
Request Header - size: 435 bytes.
Request Body - size: 0 bytes.
Response Header - size: 583 bytes.
Response Body - size: 20,722 bytes.
URL https://himemory.191810.xyz/user.php?id=1&like=1
方法 GET
Parameter
攻击
Evidence 2147483647
Request Header - size: 435 bytes.
Request Body - size: 0 bytes.
Response Header - size: 583 bytes.
Response Body - size: 20,722 bytes.
URL https://himemory.191810.xyz/user.php?id=2
方法 GET
Parameter
攻击
Evidence 1145141919
Request Header - size: 367 bytes.
Request Body - size: 0 bytes.
Response Header - size: 585 bytes.
Response Body - size: 15,881 bytes.
URL https://himemory.191810.xyz/user.php?id=2
方法 GET
Parameter
攻击
Evidence 2147483647
Request Header - size: 367 bytes.
Request Body - size: 0 bytes.
Response Header - size: 585 bytes.
Response Body - size: 15,881 bytes.
URL https://himemory.191810.xyz/user.php?id=2&like=1
方法 GET
Parameter
攻击
Evidence 1145141919
Request Header - size: 463 bytes.
Request Body - size: 0 bytes.
Response Header - size: 583 bytes.
Response Body - size: 15,921 bytes.
URL https://himemory.191810.xyz/user.php?id=2&like=1
方法 GET
Parameter
攻击
Evidence 2147483647
Request Header - size: 463 bytes.
Request Body - size: 0 bytes.
Response Header - size: 583 bytes.
Response Body - size: 15,921 bytes.
URL https://himemory.191810.xyz/user.php?id=3
方法 GET
Parameter
攻击
Evidence 2147483647
Request Header - size: 383 bytes.
Request Body - size: 0 bytes.
Response Header - size: 585 bytes.
Response Body - size: 15,195 bytes.
URL https://himemory.191810.xyz/user.php?id=3&like=1
方法 GET
Parameter
攻击
Evidence 2147483647
Request Header - size: 477 bytes.
Request Body - size: 0 bytes.
Response Header - size: 583 bytes.
Response Body - size: 15,235 bytes.
URL https://himemory.191810.xyz/user.php?id=4
方法 GET
Parameter
攻击
Evidence 1371686359
Request Header - size: 367 bytes.
Request Body - size: 0 bytes.
Response Header - size: 585 bytes.
Response Body - size: 15,345 bytes.
URL https://himemory.191810.xyz/user.php?id=4
方法 GET
Parameter
攻击
Evidence 2147483647
Request Header - size: 367 bytes.
Request Body - size: 0 bytes.
Response Header - size: 585 bytes.
Response Body - size: 15,345 bytes.
URL https://himemory.191810.xyz/user.php?id=4&like=1
方法 GET
Parameter
攻击
Evidence 1371686359
Request Header - size: 449 bytes.
Request Body - size: 0 bytes.
Response Header - size: 583 bytes.
Response Body - size: 15,385 bytes.
URL https://himemory.191810.xyz/user.php?id=4&like=1
方法 GET
Parameter
攻击
Evidence 2147483647
Request Header - size: 449 bytes.
Request Body - size: 0 bytes.
Response Header - size: 583 bytes.
Response Body - size: 15,385 bytes.
Instances 48
Solution
Manually confirm that the timestamp data is not sensitive, and that the data cannot be aggregated to disclose exploitable patterns.
Reference http://projects.webappsec.org/w/page/13246936/Information%20Leakage
Tags OWASP_2021_A01
OWASP_2017_A03
CWE Id 200
WASC Id 13
Plugin Id 10096
X-Content-Type-Options Header Missing
说明
The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.
URL https://himemory.191810.xyz/css/login.css
方法 GET
Parameter X-Content-Type-Options
攻击
Evidence
Request Header - size: 424 bytes.
Request Body - size: 0 bytes.
Response Header - size: 371 bytes.
Response Body - size: 20,425 bytes.
URL https://himemory.191810.xyz/css/normalize.css
方法 GET
Parameter X-Content-Type-Options
攻击
Evidence
Request Header - size: 419 bytes.
Request Body - size: 0 bytes.
Response Header - size: 370 bytes.
Response Body - size: 6,393 bytes.
URL https://himemory.191810.xyz/css/style.css
方法 GET
Parameter X-Content-Type-Options
攻击
Evidence
Request Header - size: 415 bytes.
Request Body - size: 0 bytes.
Response Header - size: 371 bytes.
Response Body - size: 12,440 bytes.
URL https://himemory.191810.xyz/img/arealogo.png
方法 GET
Parameter X-Content-Type-Options
攻击
Evidence
Request Header - size: 418 bytes.
Request Body - size: 0 bytes.
Response Header - size: 351 bytes.
Response Body - size: 26,396 bytes.
URL https://himemory.191810.xyz/img/banners/banner-300x250A.jpg
方法 GET
Parameter X-Content-Type-Options
攻击
Evidence
Request Header - size: 433 bytes.
Request Body - size: 0 bytes.
Response Header - size: 353 bytes.
Response Body - size: 94,959 bytes.
URL https://himemory.191810.xyz/img/banners/banner-300x250B.jpg
方法 GET
Parameter X-Content-Type-Options
攻击
Evidence
Request Header - size: 433 bytes.
Request Body - size: 0 bytes.
Response Header - size: 352 bytes.
Response Body - size: 13,148 bytes.
URL https://himemory.191810.xyz/img/himemoryicon.png
方法 GET
Parameter X-Content-Type-Options
攻击
Evidence
Request Header - size: 406 bytes.
Request Body - size: 0 bytes.
Response Header - size: 351 bytes.
Response Body - size: 14,779 bytes.
URL https://himemory.191810.xyz/img/posts/2023_1_3_APPLE.PNG
方法 GET
Parameter X-Content-Type-Options
攻击
Evidence
Request Header - size: 430 bytes.
Request Body - size: 0 bytes.
Response Header - size: 280 bytes.
Response Body - size: 90,685 bytes.
URL https://himemory.191810.xyz/img/posts/thumbnail-1.jpg
方法 GET
Parameter X-Content-Type-Options
攻击
Evidence
Request Header - size: 427 bytes.
Request Body - size: 0 bytes.
Response Header - size: 352 bytes.
Response Body - size: 12,829 bytes.
URL https://himemory.191810.xyz/js/global.js
方法 GET
Parameter X-Content-Type-Options
攻击
Evidence
Request Header - size: 423 bytes.
Request Body - size: 0 bytes.
Response Header - size: 383 bytes.
Response Body - size: 3,448 bytes.
URL https://himemory.191810.xyz/js/jquery.js
方法 GET
Parameter X-Content-Type-Options
攻击
Evidence
Request Header - size: 423 bytes.
Request Body - size: 0 bytes.
Response Header - size: 385 bytes.
Response Body - size: 57,254 bytes.
URL https://himemory.191810.xyz/js/modal.js
方法 GET
Parameter X-Content-Type-Options
攻击
Evidence
Request Header - size: 422 bytes.
Request Body - size: 0 bytes.
Response Header - size: 383 bytes.
Response Body - size: 2,807 bytes.
URL https://himemory.191810.xyz/js/plugins.js
方法 GET
Parameter X-Content-Type-Options
攻击
Evidence
Request Header - size: 415 bytes.
Request Body - size: 0 bytes.
Response Header - size: 359 bytes.
Response Body - size: 730 bytes.
URL https://himemory.191810.xyz/js/vendor/jquery-3.3.1.min.js
方法 GET
Parameter X-Content-Type-Options
攻击
Evidence
Request Header - size: 431 bytes.
Request Body - size: 0 bytes.
Response Header - size: 386 bytes.
Response Body - size: 86,929 bytes.
URL https://himemory.191810.xyz/js/vendor/modernizr-3.6.0.min.js
方法 GET
Parameter X-Content-Type-Options
攻击
Evidence
Request Header - size: 434 bytes.
Request Body - size: 0 bytes.
Response Header - size: 384 bytes.
Response Body - size: 8,638 bytes.
URL https://himemory.191810.xyz/site.webmanifest
方法 GET
Parameter X-Content-Type-Options
攻击
Evidence
Request Header - size: 402 bytes.
Request Body - size: 0 bytes.
Response Header - size: 290 bytes.
Response Body - size: 140 bytes.
Instances 16
Solution
Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.
Reference http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx
https://owasp.org/www-community/Security_Headers
Tags OWASP_2021_A05
OWASP_2017_A06
CWE Id 693
WASC Id 15
Plugin Id 10021
缺少反CSRF令牌
说明
在提交的HTML表单中中找不到反CSRF令牌。

A cross-site request forgery is an attack that involves forcing a victim to send an HTTP request to a target destination without their knowledge or intent in order to perform an action as the victim. The underlying cause is application functionality using predictable URL/form actions in a repeatable way. The nature of the attack is that CSRF exploits the trust that a web site has for a user. By contrast, cross-site scripting (XSS) exploits the trust that a user has for a web site. Like XSS, CSRF attacks are not necessarily cross-site, but they can be. Cross-site request forgery is also known as CSRF, XSRF, one-click attack, session riding, confused deputy, and sea surf.

CSRF attacks are effective in a number of situations, including:

* The victim has an active session on the target site.

* The victim is authenticated via HTTP auth on the target site.

* The victim is on the same local network as the target site.

CSRF has primarily been used to perform an action against a target site using the victim's privileges, but recent techniques have been discovered to disclose information by gaining access to the response. The risk of information disclosure is dramatically increased when the target site is vulnerable to XSS, because XSS can be used as a platform for CSRF, allowing the attack to operate within the bounds of the same-origin policy.
URL https://himemory.191810.xyz/login.php
方法 GET
Parameter
攻击
Evidence <form action="check.php" method="post">
Request Header - size: 347 bytes.
Request Body - size: 0 bytes.
Response Header - size: 505 bytes.
Response Body - size: 2,712 bytes.
URL https://himemory.191810.xyz/login.php?from=user.php?id=1
方法 GET
Parameter
攻击
Evidence <form action="check.php" method="post">
Request Header - size: 443 bytes.
Request Body - size: 0 bytes.
Response Header - size: 505 bytes.
Response Body - size: 2,716 bytes.
URL https://himemory.191810.xyz/login.php?from=user.php?id=2
方法 GET
Parameter
攻击
Evidence <form action="check.php" method="post">
Request Header - size: 457 bytes.
Request Body - size: 0 bytes.
Response Header - size: 505 bytes.
Response Body - size: 2,716 bytes.
URL https://himemory.191810.xyz/login.php?from=user.php?id=3
方法 GET
Parameter
攻击
Evidence <form action="check.php" method="post">
Request Header - size: 471 bytes.
Request Body - size: 0 bytes.
Response Header - size: 505 bytes.
Response Body - size: 2,716 bytes.
URL https://himemory.191810.xyz/login.php?from=user.php?id=4
方法 GET
Parameter
攻击
Evidence <form action="check.php" method="post">
Request Header - size: 443 bytes.
Request Body - size: 0 bytes.
Response Header - size: 505 bytes.
Response Body - size: 2,716 bytes.
URL https://himemory.191810.xyz/register.php
方法 GET
Parameter
攻击
Evidence <form action="register_check.php" method="post">
Request Header - size: 423 bytes.
Request Body - size: 0 bytes.
Response Header - size: 505 bytes.
Response Body - size: 3,218 bytes.
Instances 6
Solution
フェーズ: アーキテクチャと設計

同脆弱性を引き起こさせない、あるいは容易に回避可能な精査されたライブラリ、あるいはフレームワークを使用してください。

For example, use anti-CSRF packages such as the OWASP CSRFGuard.

Phase: Implementation

Ensure that your application is free of cross-site scripting issues, because most CSRF defenses can be bypassed using attacker-controlled script.

Phase: Architecture and Design

Generate a unique nonce for each form, place the nonce into the form, and verify the nonce upon receipt of the form. Be sure that the nonce is not predictable (CWE-330).

Note that this can be bypassed using XSS.

Identify especially dangerous operations. When the user performs a dangerous operation, send a separate confirmation request to ensure that the user intended to perform that operation.

Note that this can be bypassed using XSS.

Use the ESAPI Session Management control.

This control includes a component for CSRF.

Do not use the GET method for any request that triggers a state change.

Phase: Implementation

Check the HTTP Referer header to see if the request originated from an expected page. This could break legitimate functionality, because users or proxies may have disabled sending the Referer for privacy reasons.
Reference http://projects.webappsec.org/Cross-Site-Request-Forgery
http://cwe.mitre.org/data/definitions/352.html
Tags OWASP_2021_A01
WSTG-v42-SESS-05
OWASP_2017_A05
CWE Id 352
WASC Id 9
Plugin Id 10202
Informational
Information Disclosure - Suspicious Comments
说明
The response appears to contain suspicious comments which may help an attacker. Note: Matches made within script blocks or files are against the entire content not only comments.
URL https://himemory.191810.xyz/js/jquery.js
方法 GET
Parameter
攻击
Evidence select
Request Header - size: 423 bytes.
Request Body - size: 0 bytes.
Response Header - size: 385 bytes.
Response Body - size: 57,254 bytes.
URL https://himemory.191810.xyz/js/jquery.js
方法 GET
Parameter
攻击
Evidence username
Request Header - size: 423 bytes.
Request Body - size: 0 bytes.
Response Header - size: 385 bytes.
Response Body - size: 57,254 bytes.
URL https://himemory.191810.xyz/js/vendor/jquery-3.3.1.min.js
方法 GET
Parameter
攻击
Evidence username
Request Header - size: 431 bytes.
Request Body - size: 0 bytes.
Response Header - size: 386 bytes.
Response Body - size: 86,929 bytes.
Instances 3
Solution
Remove all comments that return information that may help an attacker and fix any underlying problems they refer to.
Reference
Tags OWASP_2021_A01
OWASP_2017_A03
CWE Id 200
WASC Id 13
Plugin Id 10027